Meta

Thunderf00t, and Violating Email Privacy

The Freethoughtblogs network was recently informed that former Freethoughtblogs blogger thunderf00t has been forwarding private emails from the private FTB email list. He has not only been forwarding emails sent during the short time he was a blogger on this network — he used a security loophole to re-gain access to the email list shortly after he was fired from the network and blocked from the list, and has been accessing emails he never had any right to see. When this security breach was discovered and he was shut out again, he tried several times to re-access the private list. And he has already made the content of some of those emails public. (UPDATE: If you want to know exactly what thunderf00t did and how, Jason Thibeault has the technical details.)

I need to talk about this.

I don’t think it’s any great surprise to anyone that Freethoughtblogs has a private backchannel email list. Much like most companies and organizations have private email lists. In this list, bloggers in the network share links, ask for help with research, get feedback on posts we’re working on, ask for help publicizing posts we’re particularly proud of or think are particularly important, think out loud about ideas we’re wrestling with, do logistical planning, hash out differences, vent, joke around, ask for and give support during hard times, and more. The backchannel list is how we planned the April Fool’s round-robin; it’s how we brainstormed about the Secular Student Alliance fundraising blogathon; etc.

This private email list is… well, private. And every single email sent through that list has this postscript automatically appended to it:
“All emails sent to this list are confidential and private. Revealing information contained in any email sent to the list to anyone not on the list without permission of the author is strictly prohibited.”

There’s a reason these conversations are private. Among other things:

People — especially anonymous and pseudonymous bloggers — reveal private information that could jeopardize their jobs if it were made public.
People — especially anonymous and pseudonymous bloggers — reveal private information that could jeopardize their physical safety if it were made public.
People brainstorm ideas that they later decide are bad ideas, and don’t want to be held to.
People discuss private medical matters and personal family issues, which could hurt both themselves and others if they became public.
People hash out differences of opinion that they don’t want to turn into a giant public debate.
People talk about personal, emotional stuff that they don’t want to share with the entire Internet.

If you have ever said anything privately that you wouldn’t want made public — because you were thinking out loud, because you knew the people you were talking with would understand the context but the general public wouldn’t, because you were mad and said things you didn’t really mean, because you don’t want everyone on the Internet to have your home address and phone number, because some things are just private and you bloody well have the right to decide who to tell them to — then you almost certainly understand exactly how important this is, and what a terrible violation it is, and why. People need to be able to talk freely among their friends and colleagues, without parsing every word for public consumption. People need this — and they have a right to have it. That’s a no-brainer.

Now.

Every single time that thunderf00t sent an email through this private backchannel, every single time that he received an email through this private backchannel, he was agreeing to this privacy policy. Every time he sent or received one of these emails, he was signing onto this agreement:

“All emails sent to this list are confidential and private. Revealing information contained in any email sent to the list to anyone not on the list without permission of the author is strictly prohibited.”

Participation in this backchannel list is entirely voluntary. It’s not a requirement of being a blogger in the network, and in fact not all bloggers in the network participate in it. Thunderf00t could very easily have opted out of it. Every time he sent or received an email through this network, he was signing onto an agreement to keep that email private. Forwarding these emails crosses a clear line into grossly unethical behavior.

And regaining access to the private email list after being fired from the network… that races past that line at a hundred miles an hour. It’s bad enough to pass on emails you received privately and agreed to keep private. It is a thousand times worse to deliberately gain access to private emails you never had any right to see… emails that, in fact, you personally and explicitly had been refused access to.

What’s more, I think it’s worth pointing out that these actions do serious injury, and are a gross violation of trust, against everyone in the Freethoughtblogs network, and against everyone participating in the private email list. Including people who never participated in the public debate with thunderf00t, and who had nothing to do with the decision to fire him. This was is not a surgical strike. It was a firebombing. And it seems to have been done for no reason other than to pursue a personal vendetta.

This is a gross violation of basic human decency. There is no possible spin that can make it into anything else.

Share this:

Like my blog and my work? It's made possible by generous support from readers like you. You can support it with a donation to my tip jar (one-time or monthly), or by buying my books and saying nice things about them.

“Every single time that thunderf00t sent an email through this private backchannel, every single time that he received an email through this private backchannel, he was agreeing to this privacy policy.”

Legally speaking I do not believe this is a true statement. It is more like a statement of copyright protection . . . like what you see on sports broadcasts that say no reproduction is permitted without express written permission of the creators. If someone ignores that statement and reproduces the work they may be able to be sued for copyright infringement (suing another person in a private action for breach of copyright law), but not for breach of contract (suing someone because of breach of a mutually-agreed contract).

It’s possible that as a prerequisite of joining the an e-mail list that a person be required to sign a nondisclosure agreement, but a notice posted at the bottom of an e-mail does not constitute a valid mutually binding contractual obligation (“he was agreeing”).

I think jim is mostly correct. The disclaimer at the bottom of an e-mail has dubious legal bindings. If thunderf00t signed an NDA, that would be the basis of a lawsuit. The e-mail disclaimers will help in any lawsuit, but I haven’t seen any lawsuit initiated based solely on that.

The other approach for a legal action (assuming he didn’t sign an NDA) is via the hacking that thunderf00t did (using a security loophole is still hacking if he did not have a legal right to access the system in that way). That is a serious crime in its own right.

Considering what that “idea” was, and the fact that he shared it only with the person endangered by that “idea”, I feel it was justified. Granted, I just started reading about this due to the rash of apparent smear pieces about a specific person. I have only started reading both sides of the story and so far it runs the risk of making my reader feed much, much thinner than this morning.

Did any of the forwarded emails actually breach any of the reasons for the privacy policy, i.e. the sentences starting with “People”?

Does that matter? The mere potential for that to happen is enough for this to be a disgusting and highly immoral move on TF’s part. Nobody can say, “Oh, well, no actual harm was done, so it’s all hunky-dorey.” Because there’s always the chance that real harm was done, and nobody has realized it yet.

While I agree with almost everything you have said (except what jim pointed out in reply #5), I think that Thunderf00t himself made a valid argument as a defense against a part of this (which you linked to). Namely that the anonymity/pseudonymity was already broken with regards to him being in on the contact details of people. So, while it is certainly a very bad (maybe criminally stupid) thing that he has done, that part of it at least rests on whoever decided to admit him in the first place (and thus trust him with other people’s private information), at least in my opinion.

In short, blame him for everything that is his fault, but the pseudonymity breach is not his fault.

Whether or not TF’s actions were legally actionable isn’t really at issue here. The point Greta was trying to make was that his actions were unethical and malicious. What he did was wrong, petty, childish, and mean spirited. TF knew those emails were meant to stay private and he almost certainly knew the reasons they were intended to be private (as stated in the OP). This is the equivalent of the school bully stealing another kid’s diary and reading it over the intercom to shame and humiliate him/her.

It mattered enough that those things were specifically itemized in the post above. Since the post doesn’t detail what Thunderf00t did except forwarding information (some? all?) somewhere (public? private? specific person? reason?) but then goes on to list all these very reasonable things one would like to keep private, yes it does matter to me what was actually revealed, what the big crime really was.

And it should matter. For me it is a much more serious breach of confidence to actually leak someone’s medical records to a third party, than, for example, warning someone you sympathize with ahead of time that they are likely to become a target for a very small scale conspiracy.

In fact, I might even consider doing something like that for someone I do NOT sympathize with.

There is a very real difference between “real damage COULD have been done” and “real damage WAS done”.

The point Greta was trying to make was that his actions were unethical and malicious.

Which would guarantee condemnation from most communities – however, it’s recently become clear there is a vocal section of the atheist/skeptic community who have no interest in ethical behaviour and no problems with maliciousness; rather, they revel in it, and will be cheering Thunderf00t on, no matter how much harm his actions might cause to actual people.

So if I break into somebody’s house with a weapon, but do not actually harm or kill anyone, does the fact that I was holding a weapon not mean anything?

He hacked into a private email list after he was specifically banned from it. He knew at one point that the emails were private and NOT to be shared with anyone.

It’s still likely that somebody’s words, even taken out of context and not quoted, could still get back to somebody and do real-life harm to them. Regardless of what real harm was done, what TF did was unethical and potentially illegal.

I really do find this outraged declaration that he does not “doc drop” to be almost laughably deluded. It’s like someone who breaks into your house because you forgot to latch a window. He comes into your house and steals your china and jewelry, then reacts in mock outrage when you suggest that he might steal your TV too. In fact, he screams “I do not steal TVs!” at the top of his lungs to the neighbors while he’s handing your other possessions out the door to someone else. And then he expects that declaration to be credible and to provide some assurance of his character.

While I agree with almost everything you have said (except what jim pointed out in reply #5), I think that Thunderf00t himself made a valid argument as a defense against a part of this (which you linked to). Namely that the anonymity/pseudonymity was already broken with regards to him being in on the contact details of people. So, while it is certainly a very bad (maybe criminally stupid) thing that he has done, that part of it at least rests on whoever decided to admit him in the first place (and thus trust him with other people’s private information), at least in my opinion.

Bull. Just as consent to one thing doesn’t imply consent to anything and everything afterwards, giving Thunderf00t access to the mailing list does not give him a right to do anything he wants with it. That notion was explicitly written out in the automatic footer. (And that’s just talking about the stuff he apparently released while still on the mailing list legitimately)

The fact that other pieces of communication have been leaked before has no bearing on this either. I believe I’m safe in assuming that those pieces of communication were released only by the consent of everyone involved in them. I also believe I’m safe in assuming that no such consent or permission was given to Thunderf00t.

Don’t even start trying to blame people for trusting Thunderf00t. He took advantage of their trust, that’s where the blame lies.

@25: Kirbywarp, I am not sure what you read that you think I wrote but I did not discuss anything about what he has or has not released or where or when he got it with one exception. When Thunderf00t was given access to the email list initially, he was given what is apparently sensitive information (above and beyond what is immediately available through simple search engine results). The problem in this regard is not one of content, but of access. I agree with you that anything Thunderf00t does with that privileged information is his fault, but if the problem is simply potential to cause problems because of information he was freely given (which is sort of how I understand part of Natalie Reed’s blog post, in part) then there is some fault with whoever gave access.

So you can call ‘bull’ all you like, but you are not talking to me because I did not say any of what you responded to. I have one (well, two counting jim’s objection) problems with the litany of offenses leveled against Thunderf00t, and that is all. Is it wrong to want to only damn the man for transgressions I think are his?

@5 & 7: That’d be true for any emails he had while he was legitimately on the list. The things he decided to leak were from after he was removed, and then illegitimately regained access; he had no more legal right to disseminate them then someone would have to broadcast your phonecalls after putting a wiretap on your line.

You claimed that Thunderf00t had a “valid defense” when he talked about how anonymity on the list was already broken. Here’s his own words on the matter:

Nor do they seem to realize that their main beef that I ‘stole their personal details‘ is clearly stupid. I, and everyone else on that mailing list, would have had all of those details (whatever they actually are, I still have no idea) anyways from when they originally signed me up to the mailing list. So what exactly are these personal details they think I’ve ‘stolen’ here?

The problem is not that Thunderf00t had access to the e-mail in the first place. That Thunderf00t knows real names and info is not the problem. The problem is that he was threatening to release that info, and that he thinks he’s entitled to that info (and to do what he wants with it) because:

1. He was put on the mailing list.
2. Other bloggers have revealed pieces of exchanges before.

I’ve already addressed why 2 is false, but 1 is not something that anybody can or should be “blamed” for. The burden is squarely and solely on Thunderf00t’s shoulders for abusing everyone’s trust and threatening to release personal info.

It isn’t even just personal info either. Like the bloggers have been saying, there are conversations on those lists that could be equally harmful if released. And even if Thunderf00t swears up and down that he doesn’t dox anyone, he still feels entitled to release those conversations to people without the author’s knowledge or permission.

[…] are lots of reasons why people had every expectation that the FtB back channel was private, which Greta itemizes. Ashley weighs in on the issue out of pure outrage for the very real personal danger that Natalie […]

At best, what TF did with the emails he obtained while a member of the listserve was extremely unethical and a gross violation of trust. Once he hacked back in, though, I am pretty sure that crossed a boundary into illegal* actions– isn’t hacking other people’s email accounts illegal in most states? If it isn’t it certainly should be. I don’t know if what he did was legally actionable. I do not think that’s the point, anyway, I think the point is that what he did could ruin people’s lives. It’s not the same thing as stealing private information and then actually blackmailing someone, but it is nearly the same thing as informing someone that you *could* blackmail them with stolen information if you wanted to. But you don’t. At least not at the moment. Otherwise, what would be the purpose of stealing private information and then bragging about having it, unless you intend to use that against them in some way?

Shameful, shameful.

*Caveat: I am not a lawyer, nor do I pretend to have anything more than a rudimentary understanding of any area of law enforcement.

Tell that to Natalie Reed. This is in fact one of the problems that is being complained about (and perhaps rightly so). This is all I mean (or have meant), and I do not think you get to dismiss this as not a problem. Note that none of this has anything to do with your claims of ‘bull.’

That Thunderf00t knows real names and info is not the problem. The problem is that he was threatening to release that info, and that he thinks he’s entitled to that info (and to do what he wants with it) …

If it were the case that Thunderf00t weren’t making threats, and wasn’t releasing stuff from the mailing list, the fact that he was put on it in the first place wouldn’t be a problem.

You said:

… but if the problem is simply potential to cause problems because of information he was freely given (which is sort of how I understand part of Natalie Reed’s blog post, in part) then there is some fault with whoever gave access.

That is not the problem. The problem is not that he had the potential to do it, everyone on the mailing list has the potential to cause problems. The issue is that he is actually releasing stuff, and threatening to release more.

If that’s what you mean, then fine. We’re on the same page. But if you’re gonna say that Thunderf00t has any sort of valid defense to make, I’m going to call bull on that.

I don’t hate Thunderf00t, the only videos I’ve ever fully watched of his were his childish bickering against FTB. I just found the rest of his videos boring but that is just because my preferences dont jive with what he offers. I do think he’s being an idiot, the stuff he keeps jabbering on about PZ doing are reasonable on PZs part. Of course FTB is going to be populated by Liberal Atheists, what was he expecting, an Objectivist Blog, a Republican Blog.

He dug his own hole by continuing to care about the Progressive slant on a Progressive guys blog site.

Heres an idea Thunderfoot, make your own damn blog network.

(Sorry for the lack of punctuation and exclamation in this post, my keyboard seems to be broken -.-)

The issue is that he is actually releasing stuff, and threatening to release more.

These things were given to him, and while it might have been under an understanding that he would behave himself (which I do not think he has ever had the reputation of doing) it was not with any legally binding force*. In addition to there being no teeth to back up the fairly mild ‘barking’ of the privacy agreement, there was no technical effort to shield members (and if the list is attaching text it can certainly mask senders actual emails from at least casual observers).

But if you’re gonna say that Thunderf00t has any sort of valid defense to make, I’m going to call bull on that.

It is valid to say that he did not steal the contact information, he was given it. It is valid to further point out that sub-par means were taken to shield members of the list from harm. The second one is only obvious with hindsight.

*I am not a lawyer, but this is consistent with my lay understanding and what has been said by others

@39: Thunderf00t claims that, but doesn’t support that. His evidence amounts to people advocating making a fuss about what he said because it wasn’t fair. I assume this is what resulted in PZ’s post on the topic. If there was a concerted effort to get him fired which involved some unfair tactics, CFI Canada would have been the ones taking the complaints and let them make a fuss about it if they think it appropriate.

Whether or not TF’s actions were legally actionable isn’t really at issue here.

Or anywhere else. A civil suit would be a huge waste of money and good luck getting law enforcement involved. I’ve done over a dozen security incident responses in my career and generally law enforcement only pays attention if you’re the DoD, a bank, someone famous, a large corporation, etc. Remember how much trouble mabus had to cause in order to get anyone to do anything? And what did they do? Basically – nothing.

I’ve mentioned this elsewhere: TF has an ego and he’s now thoroughly burned with this community. That’s a bigger kick in the pants than just about anything else. Ed/PZ/et al’s strategy in dealing with this is exactly the right one: show everyone what they’re dealing with. If he’s got any sense at all, he’ll find some new hobby, like knitting.

@39: I don’t see any plotting to get anyone fired in the messages Thunderf00t posted on his blog, which one would assume would be chosen as the most incriminating ones. The “minor public deal” being discussed is Zinnia Jones’s blog post venting about the idea of having the whole blog network she belongs to dismissed as a single entity by someone who has probably never read half of the bloggers on it – “blog post” not being a euphemism for “phone calls to CFI Canada calling for him to be fired” unless Thunderf00t is privy to some very peculiar and confusing secret language used on the internal Freethought Blogs mailing list.

“The problem is not that Thunderf00t had access to the e-mail in the first place. That Thunderf00t knows real names and info is not the problem. The problem is that he was threatening to release that info”

He’s threatening to release personal information?

I thought he was bragging about not doing that, as in #24, “I don’t steal TVs.” Basically, releasing the contents of the messages with the identifying information erased.

“The problem is not that Thunderf00t had access to the e-mail in the first place. That Thunderf00t knows real names and info is not the problem. The problem is that he was threatening to release that info”

He’s threatening to release personal information?

There’s an equivocation here. He has released private personal communications to third parties and is threatening to release them publicly. He claims this okay because the information he is threatening to release does not necessarily include real-life names and addresses.

@48 I made a specific statement about the law, and an informative one at that, correcting misinformation about the law stated in the OP. I took no side at all.

So I’m an “apologist”, and “smirking”?

Honestly, that feeds exactly into the narrative Thunderfoot is pushing: that the bloggers and commenters here are just on a witch hunt and don’t care about logic, skepticism or accuracy.

If it’s inaccurate information about the law, it’s inaccurate information about the law. Own it, correct it, and move on. The OP being wrong about the law doesn’t change the ethical or moral arguments being presented.

Jim, what are your legal qualifications? I’m not saying that in a snotty way, and I’m not alleging that your comment is without merit. I have seen claims that lawyers have been consulted informally and that they suggested this alleged incident would be actionable.
If you have legal expertise it might be good to include that information.

I have none, and so what I say regarding legalities has only the weight that my non-expertise gives it, but for what it;s worth…

I HAVE heard from lawyers that if you are the recipient of an unsolicited email and that email claims you can’t divulge the contents that that claim is invalid because you could not possibly have given your assent.

This situation is NOT a case of a person receiving unsolicited emails. This is a case of a person allegedly deliberately accessing private emails that he knew he was not permitted access to.

I don’t know if there was a “you agree to these terms” checkbox upon signing up for the list, but I would think (as a layperson) that if so that would be enough rather than a signed non-disclosure form (and that’s if simply having accessed emails that you already knew you were supposed to be barred from receiving isn’t enough on its own.)

If a signed non-disclosure form were what was legally required then most sites like Amazon and Facebook and Gmail would have no protection.

Fuck you. I am not an apologist. As I said, I think he got his ass kicked and deserved it. Speaking from my experience regarding getting the law involved in cybercrime is not making apologies for TF’s stupidity.

Okay, sure, Thunderf00t snitched. Do you really think the best way to respond is with a temper tantrum?

Stop deliberately misrepresenting things.
The allegation is NOT that “Thunderfoot snitched.”

The allegation is that Thunderfoot deliberately and successfully accessed a private mailserv that he knew he was barred from, and when barred again, repeatedly tried to regain unauthorized access. Also allegations that he divulged some information that he accessed without authorization, and suggestions that if he were to release the information that he allegedly deliberately took without authorization, that people could be harmed by it, perhaps severely in some cases.

I can’t state that these allegations are true, but they are allegations of making a deliberate security breach and then repeatedly trying to again, that could result in release of damaging personal information.

If it’s true that what Thunderfoot did is not illegal, then this reflects a gross, gaping hole in our legal system that our descendents should still be embarrassed by a thousand years from now.

The gap is not the definition of what is or isn’t legal; the problem is getting a DA to try to prosecute a technically complicated case where there’s nobody famous, no big money, no “national security” flag waving. What TF did was probably illegal, definitely wrong, and absolutely stupid. It’s not trivial and I’m not trying to trivialize it by any means.

What am I doing about it? Well, I happen to think that getting the mechanism of law involved in more than it can deal with doesn’t serve justice either. I don’t want a DOJ so huge that there are DAs sitting around waiting to prosecute every internet infraction, that’d be a lot of DAs.

In my work with computer security I have, dozens of times, had to lay out for people the likelihood that they will get effective representation from a DA, the FBI, or the USS – how ad why and why not. Is it right? It’s the way it is, unless you want the already-too-big FBI to get a whole lot bigger. :/ What’s more broken is that a civil suit is also improbably expensive. The last suit I was involved in burned $15,000 in a week; justice is indeed for the wealthy. What am I doing about it? I’m uselessly complaining about it on a blog, just like you.

(With respect to computer crime, when your access to a system is revoked – as happened to TF – then you’re breaking into it if you use a stolen credential or otherwise access the system. That’s pretty straightforward. But good luck getting anyone from law enforcement to do anything about it unless you’re Scarlett Johnansen or Citibank)

I am a 2nd year law student and I can unequivocally tell you that no crime has been committed whatsoever.
Only if T-foot actually did release personal identifying information would you MAYBE have grounds for an invasion of privacy tort-and then only IF that leaked information caused some actual concrete harm.

You guys are frankly just really butthurt at being exposed for your petty cliqueshness.

Indeed it turned out that merely hours after this tweet, CFI Canada had been contacted with calls for his dismissal. Yes his real life job was being threatened because of one tweet about FTBs!

Then, not to mention the fact that Ed Brayton has called for an ousting of Thunderf00t because of this whole issue.

It may be that getting fired over a tweet won’t necessarily destroy one’s career, but it would certainly be a setback. When my brother lost his job at the hospital because they downsized the surgery department, it didn’t absolutely destroy his future, but for the next year he had to rely on me and my paycheck to live (and I was happy to support him, but the depression it drove him into is something I never want to wish on anyone).

I mean, I don’t know either of these guys. If they really don’t deserve to be in the free-thinker’s movement, they’ll make amazing fools of themselves and we will just ignore them until they realize they’re unimportant. Taking the fight to them validates their opinion, and lends credence to the idea that the free thinker movement has become clicky. I don’t think we’re clicky, but secret mailservs and a coordinated attack against two people that violated the hive-mind is making me question that idea.

@54: Thunderf00t told someone that they were being talked about on the FTB mailserv. How he got the information certainly is a big issue, yes, but it’s not the one that everyone seems upset over. They’re upset that he has information, divulged some information, and could have divulged other information that put others at risk. Even though Thunderf00t never has and has no incentive to DOX anyone.

So, the issue that we all seem upset over is “Thunderf00t told what was going on in a private mailserv to which he had been barred.” I’d call that snitching.

As an aside: I really like your piano work (Emily is my favorite). You are amazingly talented, and I can only hope to have such an ear for music.

@58 (Stacy): Alright, then what did happen? Greta Christina only writes that Thunderf00t posted something from their private mailserv. What would that something be?

Also, I’m not a “fan” of Thunderf00t. I liked his “Why people laugh at creationists” videos, but that’s the strongest connection I had with him. I only found his blog today, because I wanted to know what he did to piss off FTBs.

In fact, I’m subscribed to Greta’s blog. I respect her, and think her an intelligent and well-spoken individual. This blog post, today, is the first time I’ve waded into this issue (against my better judgement, but I’d had a few beers with dinner). Indeed, I’m beginning to regret even weighing in.

In the end, I don’t think what Thunderf00t says he did was wrong. You can decide for yourself, though, if what he says he did is worth castigation, or if he’s telling the truth on his blog. All I did was read Greta’s post, read Thunderf00t’s post, and conclude that telling someone what’s being said about them isn’t a punishable offence (though gaining access to a mailserv one has been removed from would be). That’s it. I read each person’s account of the event, and came to a conclusion. You’re free to do the same, just I won’t insult the consistency of your mind or your intelligence if your conclusion is different from mine.

@61: Read that quote again. He never claims the calls came from FTB. He just mentions them close together to imply that. Notice that he provides lots of e-mail quotes, but not abotu gettign Payton fired and ignores questions on his blog abotu whether anyone at FTB tried to get Payton fired.

@63: I concede that the calls may not have been instigated by FTB, and calls for his dismissal could have just been offended twitter users. It just looks a little… fishy that someone on the FTB mailserv was talking about “getting involved” and making a deal out of this, while his employer is receiving messages calling for his dismissal.

You’re right that it’s not enough to conclusively say “FTB is guilty of this.”

@64, except that, according to Thunderf00t, the calls were within a few hours of the post goign up and the listserv talk was a couple days later. Zinnia has now outed herself as the one he was quoting and we know what she did about it. She wrote a blog post, which is all the e-mails indicate that she’s going to do.

[…] In case you hadn’t heard: The Freethoughtblogs network was recently informed that former Freethoughtblogs blogger thunderf00t has been forwarding private emails from the private FTB email list. He has not only been forwarding emails sent during the short time he was a blogger on this network — he used a security loophole to re-gain access to the email list shortly after he was fired from the network and blocked from the list, and has been accessing emails he never had any right to see. When this security breach was discovered and he was shut out again, he tried several times to re-access the private list. And he has already made the content of some of those emails public. (UPDATE: If you want to know exactly what thunderf00t did and how, Jason Thibeault has the technical details.) […]

Jim, what are your legal qualifications? I’m not saying that in a snotty way, and I’m not alleging that your comment is without merit. I have seen claims that lawyers have been consulted informally and that they suggested this alleged incident would be actionable.
If you have legal expertise it might be good to include that information.

Not intending to post verifiable details here as to my qualifications (I think these episodes have provided ample evidence as to the risks of doing so), I would just have to ask either that you take my word that I am qualified to comment, research the issue yourself, or just ignore my comment. I am actually quite qualified to have made the comment I did. If someone thinks I am making a mis-statement with respect to contract law I am open to that discussion.

So, with that in mind, I will only add that the specifics of legal action will vary tremendously based on jurisdiction and that I was making a very limited legal point. I did not say, for example, that there was no actionable conduct in this circumstance. I was not addressing potential “hacking” actions, and was speaking generally to US contract and copyright law. I did not address the potential circumstance of TFoot perhaps separately having signed a confidentiality agreement at some other time related to the list. There are other possibilities even after that. Nor did I make any statement with regard to the ethics or morality of TFoot’s actions.

My only general point is that adding a notice at the end of a post does not ordinarily create “agreement” between two parties that would create a private, contract-based legal claim in the way that the OP stated (“Every time he sent or received one of these emails, he was signing onto this agreement:”). In other words, as far as I can tell what was said was not an accurate statement of law.

Hopefully this is a useful clarification.

On a related point, I also consider the exchange between myself an Azkyroth an example of how easy it is to get labelled and how those labels immediately start to color the overall interaction. These issues create such strong responses I hope people will be thoughtful in their reading and response.

I would just have to ask either that you take my word that I am qualified to comment, research the issue yourself, or just ignore my comment.

That came across more dismissively than I intended. What I was trying to drive at is that without providing sufficient information that can be verified, you’re better off trying to validate the accuracy of the information itself since you wouldn’t have any basis to know whether I was telling the truth or not about my credentials.

There is a very real difference between “real damage COULD have been done” and “real damage WAS done”.

How about damage CAN be done? Thunderf00t presumably still has copies of those mails, along with a lot of personal information.

If I had exploited a security breach in the phone lines to record your personal conversations and had then revealed some of what you had said to a third party, would you really be very comforted by the thought that I hadn’t revealed anything really private yet?

Yep. Thunderf00t is a detestable, underhanded cad for “hacking” into an email server he didn’t have permission to access, but PZ is a hero for “hacking” into a phone conference with a code he didn’t have permission to use. Makes perfect sense.

Yep. Thunderf00t is a detestable, underhanded cad for “hacking” into an email server he didn’t have permission to access, but PZ is a hero for “hacking” into a phone conference with a code he didn’t have permission to use. Makes perfect sense.

The mental gymnastics you need to perform in order to equivocate between those two situations is stunning:

1) Thunderf00t accesses a mail server he knew to be private and was booted from and then shares messages with third parties who never had access.

2) PZ unmutes himself during a conference call he was invited to participate in about a film in which he featured.

In regards to 18 USC 2701, I’m not sure an email list qualifies as “a facility through which an electronic communication service is provided.” The emails were sent directly to him, regardless of how he got himself on the list; he didn’t really access the facility where the messages were stored (gmail or whatever, nor anyone’s inbox or email storage).

And without a doubt, that statute wasn’t written for this type of scenario; which is relevant, although not dispositive.

Without otherwise making a judgement, I don’t think a criminal case is likely to stand up. And any civil case requires damages that a court can remedy with money or possibly an injunction, neither of which is likely since it doesn’t look like any money was lost and injunctions require a heavy-burden.

Comments are closed.

The Orbit is a diverse collective of atheist and nonreligious bloggers committed to social justice, within and outside the secular community. For more information, please see our About Us page.

All content is copyright the authors except where otherwise noted. Contact the authors individually for further information.